- Business
- Consumer affairs
- Consumer safety
This was published 2 years ago
Opinion
No, Optus doesn’t need to keep your sensitive information for so long
Rachael Falk
CEO of the Cyber Security Cooperative Research CentreNews of the Optus cybersecurity attack is shocking. The millions of customers potentially impacted by the breach is mind-boggling. But the really startling question is how a breach of this magnitude is still occurring in 2022.
While cyber breaches are a reality for any organisation – large or small-running systems connected to the internet with perfect cybersecurity is an impossibility – what we do know is that cyberattacks, hacks, breaches or whatever you want to call them, are entirely foreseeable.
The magnitude of such breaches can be minimised by making conscious choices about what to use, hold and store – and, if it must be stored, storing it securely so that it cannot be easily accessed. These choices are not new and encryption is not a novel, unreachable solution.
There have been far too many cyberattacks where staggering amounts of personal information have been stolen. Think the Target hack in 2013, the Office of Personnel Management in the US in 2014, UK telecommunications provider TalkTalk in 2015, Equifax in 2017 and the ANU in 2018. All of these breaches had variants of the same thing: data theft, varying degrees of highly personal information and, in many cases, the impact of these breaches could have been minimised.
These are all learnable events.
Each time a cyber incident happens, organisations should sit up and assess whether this could happen to them.
What makes the Optus breach more astounding is that it is alleged that a subset (some put it at 2 million-plus customers and former customers) have had their highly personal information stolen. Licence and passport numbers are examples of the data that Optus believes may have been accessed.
Unconfirmed reports suggest that access to the sensitive customer data was through what is known as an Application Programming Interface, also known as an API. This is an interface that allows two applications to talk to each other, such as when you use the weather app on your phone, the app uses an API to get the weather. In this case, when that API is on a system connected to the internet, if it is not secured properly, you have left the door open to allow the cybercriminals to start extracting data. They will grab any data they can grab – in this case valuable customer data.
It is laudable that Optus announced the breach promptly and its chief executive addressed the media. There is no doubt Optus invests money in protecting its systems and has people who work diligently on minimising cyber risk. However, the missing part can often be that the gatekeepers who work hard to protect these systems are often not aware of the type of data kept in these systems.
The real issue Optus will have to investigate is why it was holding such sensitive personal information? So much sensitive data that had only an initial, point-in-time use. This just appears to be data gluttony and it must stop.
There are only downsides for customers once this data is stolen. This turns a customer (who may have been loyal) into a victim that can be re-victimised in many different ways after the breach.
The pernicious thing about data theft and use of stolen data is that it is an unseen harm. We don’t know how that data is used, stored, re-sold, sliced and diced. What we do know is that it is often buried and re-sold on the dark web and potentially used for identity theft.
The unrecognised harm is the anxiety such theft causes and the lack of power customers (now victims) have over their data once it has been stolen. All because they entrusted an organisation with this sensitive data in order to get a service.
The focus during times of cyber crisis must be on the customer – it must be on providing clear advice both on what to do and how that organisation is going to help them in the future, either with free credit monitoring services or other assistance. However, the stark reality is that once the data has been stolen and out there in the wild it can never be restored. The harm that results from a data breach lurks in the shadows for months and possibly years.
Well-intentioned emails and media releases are one thing, but it is not Optus that is necessarily the ‘victim’. It is the 9 million-plus customers who are the real victims, and may well continue to be for many months or years to come.
Rachael Falk is a former lawyer and the current CEO of the Cyber Security Cooperative Research Centre.
The Opinion newsletter is a weekly wrap of views that will challenge, champion and inform your own. Sign up here.